Using the SIP Proxy Service

The Smoothwall supports a proxy to manage Session Initiation Protocol (SIP) traffic. SIP is often used to set up calls in Voice over Internet Protocol (VoIP) systems.

SIP normally operates on port 5060, and is used to set up sessions between two parties. In the case of VoIP, it is an RealTime Protocol (RTP) session that is set up, and it is the RTP stream that carries voice data.

RTP operates on random unprivileged ports, and, as such, is not NAT friendly. For this reason, the Smoothwall’s SIP proxy ensures that RTP is also proxied, allowing VoIP products to work correctly.

The Smoothwall’s SIP proxy is also able to proxy RTP traffic, solving some of the problems involved in setting up VoIP behind NAT.

There are two types of SIP proxy: a registering SIP proxy, and a pass-through proxy. A registering proxy or registrar allows SIP clients to register so that they may be looked up and contacted by external users. A pass-through proxy merely rewrites the SIP packets such that the correct IP addresses are used and the relevant RTP ports can be opened.

Some clients will allow users to configure one SIP proxy – this is invariably the registering proxy, others will allow for two proxies, one to which the client will register, and one which the client users for access, a pass-through.

As with many types of proxy, the SIP proxy can be used in transparent mode. In transparent mode, the proxy is only useful as a pass-through.

This mode is useful for those clients which do not support a second proxy within their configuration. If all your clients can be properly configured with a second proxy, transparent mode is not required.

If the proxy is operating in transparent mode, the non-transparent proxy is still available, so a mixture of operation is possible.

Maximum number of clients — Select the maximum number of clients which can use the proxy.

Setting the maximum number of clients is a useful way to prevent malicious internal users performing a Denial of Service (DoS) attack on your registering proxy.

•

Transparent — The SIP proxy may be configured in both transparent and non-transparent mode. Select this option if you require a transparent SIP proxy.

When operating transparently, the SIP proxy is not used as a registrar, but allows internal SIP devices to communicate properly with an external registrar such as an ITSP.

•

SIP client internal address — From the drop-down list, select the interface for the SIP proxy to listen for internal connections on. This is the interface SIP clients use.

•

SIP client external address — From the drop-down list, select the interface for the SIP proxy to listen for external connections on.

•

Diffserv mark for RTP packets — From the drop-down menu, select a Diffserv mark to apply to SIP RTP packets.

The built-in RTP proxy is able to apply a diffserv mark to all RTP traffic for which it proxies. This is useful because it is otherwise quite tricky to define RTP traffic, as it may occur on a wide range of ports. Prioritizing SIP traffic on port 5060 would not make any difference to VoIP calls.

The standard mark is BE which is equivalent to doing nothing. Other marks may be interpreted by upstream networking equipment, such as that at your ISP.

•

Log calls — Select if individual call logging is required.

•

Exception local IP addresses — List those hosts which should not be forced to use the transparent SIP proxy. Each entry must be on a new line. You can either list individual IP addresses, or enter a range using a hyphen “-” as the delimiter.

3.

Click Save to enable and implement SIP proxying.

Note: If a client is using the proxy when transparent proxying is turned on, the existing users may fail to use the transparent proxy until the firewall is rebooted. This is due to the in-built connection tracking of the firewall’s NAT.